@@ -110,6 +110,81 @@ BOOST_AUTO_TEST_CASE(kzg_random_test) {
110110 BOOST_CHECK (kzg_type::verify_eval (srs, proof, commit, i, eval));
111111}
112112
113+ BOOST_AUTO_TEST_CASE (kzg_false_test) {
114+
115+ typedef algebra::curves::mnt4<298 > curve_type;
116+ typedef typename curve_type::base_field_type::value_type base_value_type;
117+ typedef typename curve_type::base_field_type base_field_type;
118+ typedef typename curve_type::scalar_field_type scalar_field_type;
119+ typedef typename curve_type::scalar_field_type::value_type scalar_value_type;
120+ typedef zk::commitments::kzg_commitment<curve_type> kzg_type;
121+
122+ scalar_value_type alpha = 10 ;
123+ scalar_value_type i = 2 ;
124+ std::size_t n = 16 ;
125+ const polynomial<scalar_value_type> f = {100 , 1 , 2 , 3 };
126+
127+ auto srs = kzg_type::setup ({n, alpha});
128+
129+ auto commit = kzg_type::commit (srs, f);
130+
131+ auto eval = f.evaluate (i);
132+ auto proof = kzg_type::proof_eval (srs, f, i, eval);
133+
134+ BOOST_CHECK (kzg_type::verify_eval (srs, proof, commit, i, eval));
135+
136+ // wrong srs
137+ auto ck2 = srs.commitment_key ;
138+ ck2[0 ] = ck2[0 ] * 2 ;
139+ auto srs2 = kzg_type::srs_type (ck2, srs.verification_key * 2 );
140+ BOOST_CHECK (!kzg_type::verify_eval (srs2, proof, commit, i, eval));
141+
142+ // wrong commit
143+ auto commit2 = commit * 2 ;
144+ BOOST_CHECK (!kzg_type::verify_eval (srs, proof, commit2, i, eval));
145+
146+ // wrong i
147+ auto i2 = i * 2 ;
148+ BOOST_CHECK (!kzg_type::verify_eval (srs, proof, commit, i2, eval));
149+
150+ // wrong eval
151+ auto eval2 = eval * 2 ;
152+ BOOST_CHECK (!kzg_type::verify_eval (srs, proof, commit, i, eval2));
153+
154+ // wrong proof
155+ {
156+ // wrong srs
157+ typename kzg_type::proof_type proof2;
158+ bool exception = false ;
159+ try {proof2 = kzg_type::proof_eval (srs2, f, i, eval);}
160+ catch (std::runtime_error& e) {exception = true ;}
161+ if (!exception) {
162+ BOOST_CHECK (proof2 != proof);
163+ BOOST_CHECK_MESSAGE (!kzg_type::verify_eval (srs, proof2, commit, i, eval), " wrong srs"
164+ }
165+
166+ // wrong i
167+ exception = false ;
168+ try {proof2 = kzg_type::proof_eval (srs, f, i2, eval);}
169+ catch (std::runtime_error& e) {exception = true ;}
170+ if (!exception) {
171+ BOOST_CHECK (proof2 != proof);
172+ BOOST_CHECK_MESSAGE (!kzg_type::verify_eval (srs, proof2, commit, i, eval), " wrong i"
173+ }
174+
175+ // wrong eval
176+ exception = false ;
177+ try {proof2 = kzg_type::proof_eval (srs, f, i, eval2);}
178+ catch (std::runtime_error& e) {exception = true ;}
179+ if (!exception) {
180+ BOOST_CHECK (proof2 != proof);
181+ BOOST_CHECK_MESSAGE (!kzg_type::verify_eval (srs, proof2, commit, i, eval), " wrong eval"
182+ }
183+ }
184+ auto proof2 = proof * 2 ;
185+ BOOST_CHECK (!kzg_type::verify_eval (srs, proof2, commit, i, eval));
186+ }
187+
113188BOOST_AUTO_TEST_CASE (kzg_batched_accumulate_test) {
114189
115190 typedef algebra::curves::mnt4<298 > curve_type;
@@ -288,4 +363,121 @@ BOOST_AUTO_TEST_CASE(kzg_batched_random_test) {
288363 BOOST_CHECK (kzg_type::verify_eval (srs, proof, evals, cs, zs, gammas, r));
289364}
290365
366+ BOOST_AUTO_TEST_CASE (kzg_batched_false_test) {
367+
368+ typedef algebra::curves::bls12<381 > curve_type;
369+ typedef typename curve_type::base_field_type::value_type base_value_type;
370+ typedef typename curve_type::base_field_type base_field_type;
371+ typedef typename curve_type::scalar_field_type scalar_field_type;
372+ typedef typename curve_type::scalar_field_type::value_type scalar_value_type;
373+ typedef zk::commitments::kzg_batched_commitment<curve_type> kzg_type;
374+
375+ scalar_value_type alpha = 7 ;
376+ std::size_t n = 298 ;
377+ const std::vector<polynomial<scalar_value_type>> fs{{
378+ {{1 , 2 , 3 , 4 , 5 , 6 , 7 , 8 }},
379+ {{11 , 12 , 13 , 14 , 15 , 16 , 17 , 18 }},
380+ {{21 , 22 , 23 , 24 , 25 , 26 , 27 , 28 }},
381+ {{31 , 32 , 33 , 34 , 35 , 36 , 37 , 38 }},
382+ }};
383+ const std::vector<polynomial<scalar_value_type>> gs{{
384+ {{71 , 72 , 73 , 74 , 75 , 76 , 77 , 78 }},
385+ {{81 , 82 , 83 , 84 , 85 , 86 , 87 , 88 }},
386+ {{91 , 92 , 93 , 94 , 95 , 96 , 97 , 98 }},
387+ }};
388+ const std::vector<polynomial<scalar_value_type>> hs{{
389+ {{71 , 72 , 73 , 74 , 75 , 76 , 77 , 78 , 79 , 80 , 81 }},
390+ }};
391+ typename kzg_type::batch_of_batches_of_polynomials_type polys = {fs, gs, hs};
392+ std::size_t num_polys = polys.size ();
393+
394+ std::vector<scalar_value_type> zs = {123 , 456 , 789 };
395+ auto evals = kzg_type::evaluate_polynomials (polys, zs);
396+
397+ auto srs = kzg_type::setup ({n, alpha});
398+
399+ std::vector<scalar_value_type> gammas = {54321 , 98760 , 12345 };
400+
401+ auto proof = kzg_type::proof_eval (srs, polys, evals, zs, gammas);
402+
403+ scalar_value_type r = 23546 ;
404+ std::vector<std::vector<kzg_type::commitment_type>> cs;
405+ for (std::size_t j = 0 ; j < num_polys; ++j) {
406+ cs.push_back (kzg_type::commit (srs, polys[j]));
407+ }
408+ BOOST_CHECK (kzg_type::verify_eval (srs, proof, evals, cs, zs, gammas, r));
409+
410+ // wrong verification key
411+ auto ck2 = srs.commitment_key ;
412+ ck2[0 ] = ck2[0 ] * 2 ;
413+ auto srs2 = kzg_type::srs_type (ck2, srs.verification_key * 2 );
414+ BOOST_CHECK (!kzg_type::verify_eval (srs2, proof, evals, cs, zs, gammas, r));
415+
416+ // wrong evals
417+ auto evals2 = evals;
418+ evals2[evals.size () / 2 ][0 ] = evals2[evals.size () / 2 ][0 ] * 2 ;
419+ BOOST_CHECK (!kzg_type::verify_eval (srs, proof, evals2, cs, zs, gammas, r));
420+
421+ // wrong commitments
422+ auto cs2 = cs;
423+ cs2[0 ].back () = cs2[0 ].back () * 2 ;
424+ BOOST_CHECK (!kzg_type::verify_eval (srs, proof, evals, cs2, zs, gammas, r));
425+
426+ // wrong zs
427+ auto zs2 = zs;
428+ zs2[zs2.size () / 2 ] = zs2[zs2.size () / 2 ] * 2 ;
429+ BOOST_CHECK (!kzg_type::verify_eval (srs, proof, evals, cs, zs2, gammas, r));
430+
431+ // wrong gammas
432+ auto gammas2 = gammas;
433+ gammas2[gammas2.size () / 2 ] = gammas2[gammas2.size () / 2 ] * 2 ;
434+ BOOST_CHECK (!kzg_type::verify_eval (srs, proof, evals, cs, zs, gammas2, r));
435+
436+ // wrong proof
437+ {
438+ // wrong srs
439+ typename kzg_type::batched_proof_type proof2;
440+ bool exception = false ;
441+ try {proof2 = kzg_type::proof_eval (srs2, polys, evals, zs, gammas);}
442+ catch (std::runtime_error& e) {exception = true ;}
443+ if (!exception) {
444+ BOOST_CHECK (proof2 != proof);
445+ BOOST_CHECK_MESSAGE (!kzg_type::verify_eval (srs, proof2, evals, cs, zs, gammas, r), " wrong srs"
446+ }
447+
448+ // wrong evals
449+ exception = false ;
450+ try {proof2 = kzg_type::proof_eval (srs, polys, evals2, zs, gammas);}
451+ catch (std::runtime_error& e) {exception = true ;}
452+ if (!exception) {
453+ BOOST_CHECK (proof2 != proof);
454+ BOOST_CHECK_MESSAGE (!kzg_type::verify_eval (srs, proof2, evals, cs, zs, gammas, r), " wrong evals"
455+ }
456+
457+ // wrong zs
458+ exception = false ;
459+ try {proof2 = kzg_type::proof_eval (srs, polys, evals, zs2, gammas);}
460+ catch (std::runtime_error& e) {exception = true ;}
461+ if (!exception) {
462+ BOOST_CHECK (proof2 != proof);
463+ BOOST_CHECK_MESSAGE (!kzg_type::verify_eval (srs, proof2, evals, cs, zs, gammas, r), " wrong zs"
464+ }
465+
466+ // wrong gammas
467+ exception = false ;
468+ try {proof2 = kzg_type::proof_eval (srs, polys, evals, zs, gammas2);}
469+ catch (std::runtime_error& e) {exception = true ;}
470+ if (!exception) {
471+ BOOST_CHECK (proof2 != proof);
472+ BOOST_CHECK_MESSAGE (!kzg_type::verify_eval (srs, proof2, evals, cs, zs, gammas, r), " wrong gammas"
473+ }
474+ }
475+ auto proof2 = proof;
476+ proof2.back () = proof2.back () * 2 ;
477+ BOOST_CHECK (!kzg_type::verify_eval (srs, proof2, evals, cs, zs, gammas, r));
478+
479+ // wrong combination of all
480+ BOOST_CHECK (!kzg_type::verify_eval (srs2, proof2, evals2, cs2, zs2, gammas2, r));
481+ }
482+
291483BOOST_AUTO_TEST_SUITE_END ()
0 commit comments